diff options
author | Koen Wilde <koen@chillheid.nl> | 2023-05-20 13:36:33 +0200 |
---|---|---|
committer | Koen Wilde <koen@chillheid.nl> | 2023-05-20 15:11:23 +0200 |
commit | 0f37581eab9258755adf6fef2c6b46c20add6fc3 (patch) | |
tree | bbcdeaba7eb75519677f54ac320e9d83cd6a00df /nixos/modules/services/networking | |
parent | c7065be73d651f4a3034b8f0cff515d15113b398 (diff) | |
download | nixlib-0f37581eab9258755adf6fef2c6b46c20add6fc3.tar nixlib-0f37581eab9258755adf6fef2c6b46c20add6fc3.tar.gz nixlib-0f37581eab9258755adf6fef2c6b46c20add6fc3.tar.bz2 nixlib-0f37581eab9258755adf6fef2c6b46c20add6fc3.tar.lz nixlib-0f37581eab9258755adf6fef2c6b46c20add6fc3.tar.xz nixlib-0f37581eab9258755adf6fef2c6b46c20add6fc3.tar.zst nixlib-0f37581eab9258755adf6fef2c6b46c20add6fc3.zip |
nixos/libreswan: Use StateDirectory to setup ipsec/nss
The systemd manual `systemd.exec(5)` addresses the partly overlapping functionality of the `tmpfiles.d(5)` setting and other, more semantic settings and recommends their use if they fit your needs because these semantic versions offer more guarantees. One of those guarantees is that they are guaranteed to be ready by the time the process starts whereas `tmpfiles.d` can be executed asynchronously. I believe this is the cause of some issues I ran into where I had to manually create the `/var/lib/ipsec/nss` directory. This patch fixed those issues for me.
Diffstat (limited to 'nixos/modules/services/networking')
-rw-r--r-- | nixos/modules/services/networking/libreswan.nix | 7 |
1 files changed, 4 insertions, 3 deletions
diff --git a/nixos/modules/services/networking/libreswan.nix b/nixos/modules/services/networking/libreswan.nix index 785729d8f742..637cd5493819 100644 --- a/nixos/modules/services/networking/libreswan.nix +++ b/nixos/modules/services/networking/libreswan.nix @@ -133,9 +133,6 @@ in "ipsec.d/01-nixos.conf".source = configFile; } // policyFiles; - # Create NSS database directory - systemd.tmpfiles.rules = [ "d /var/lib/ipsec/nss 755 root root -" ]; - systemd.services.ipsec = { description = "Internet Key Exchange (IKE) Protocol Daemon for IPsec"; wantedBy = [ "multi-user.target" ]; @@ -153,6 +150,10 @@ in echo 0 | tee /proc/sys/net/ipv4/conf/*/send_redirects echo 0 | tee /proc/sys/net/ipv{4,6}/conf/*/accept_redirects ''; + serviceConfig = { + StateDirectory = "ipsec/nss"; + StateDirectoryMode = 0700; + }; }; }; |